Medium severity5.3NVD Advisory· Published Feb 27, 2024· Updated Jun 17, 2026
CVE-2024-26144
CVE-2024-26144
Description
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activestorageRubyGems | >= 5.2.0, < 6.1.7.7 | 6.1.7.7 |
activestorageRubyGems | >= 7.0.0, < 7.0.8.1 | 7.0.8.1 |
Affected products
3- osv-coords2 versions
>= 5.2.0, < 6.1.8+ 1 more
- (no CPE)range: >= 5.2.0, < 6.1.8
- (no CPE)range: >= 5.2.0, < 6.1.7.7
- Range: >= 5.2.0, < 6.1.7.7
Patches
Vulnerability mechanics
References
10- github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433nvdPatchWEB
- github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3nvdPatchWEB
- discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-8h22-8cf7-hq6gghsaADVISORY
- github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6gnvdVendor AdvisoryWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.ymlnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-26144ghsaADVISORY
- security.netapp.com/advisory/ntap-20240510-0013/nvdThird Party Advisory
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.ymlghsaWEB
- security.netapp.com/advisory/ntap-20240510-0013ghsaWEB
News mentions
0No linked articles in our index yet.